Your Industrial Site Requires Better Protection

Your Industrial Site Requires Better Protection against Cyberattacks

by Andrew Ginter, VP of Industrial Security, Waterfall Security Solutions

Firewalls are often the first security mechanism that is installed on any network. For industrial control and SCADA networks in sites such as water systems, power plants, manufacturing platforms, transportation signaling systems, among others, firewalls simply aren’t good enough to keep attack payloads away. Industrial plants need unidirectional gateway technology that make it physically impossible for remote cyberattacks to enter critical control systems.

Recently, we’ve been hearing about attackers using ransomware to threaten with the manipulation of the industrial controls of a nuclear power plant, or a municipal water system, or a sprawling petrochemical plant. It’s bad enough when financial institutions or large retailers experience the theft of millions of cardholder records, but at least nobody died from those incidents. But if an attacker could jack up the temperature gauges of a petrochemical hydrocracker unit, there could be massive casualties from the resulting explosions and fires.

Even back in 2013 Trend Micro reported an experiment the company conducted where it deployed a dozen honey pots around the world that were designed to look like the ICS (industrial control system) networks of municipal water utilities. Within four months, the honey pots attracted 74 intentional attacks, including at least 10 where the attackers were able to take over the control system. This experiment proved that attackers have both the intention and the ability to penetrate critical infrastructure systems that, in theory, should be less vulnerable than Internet-facing corporate networks.

In the industrial world, there were no connections between the control systems and the outside world until about two decades ago. That was when plant operators discovered there is a wealth of information in the control systems that could help them better manage their plants. For example, production units have to be taken offline every so often for maintenance. By collecting data from the control systems to understand how hard the equipment has been used, the managers might be able to optimize the schedules for maintenance. Running the equipment a few extra days between maintenance cycles could save millions of dollars a year.

When companies connected their control networks to their corporate networks for the purpose of gathering this data, they introduced the security problems that plague the corporate networks today. Everything from viruses to APTs (Advanced Persistent Threats) can jump across networks and get into the control networks that used to be thought of as invulnerable.

Even firewalls are insufficient to keep the bad stuff out

As anyone who manages firewalls on a corporate network knows, malicious payloads sometimes slip through undetected, and this could be disastrous for an industrial control network. That’s why many ICS networks are protected with a different kind of security device called a unidirectional security gateway.

Industrial plants separate their control networks from their corporate networks with a DMZ. Instead of a traditional firewall, a unidirectional gateway sits at the DMZ to allow data to flow from the control network to the corporate network on the outside, but nothing can flow back the other way. In fact, it’s physically impossible for data to flow two ways, and here’s why.

Open up a box. What do you see?

A firewall is a box with network in, and network out. If you take your screwdriver and open up the box to see what’s inside you see CPU and memory. A firewall is software. The heart of the unidirectional gateway is hardware. There are two boxes, not one. One box is copper in and fiber out and the other one is fiber in and copper out. There is a very short fiber connecting the boxes. In the transmit box there is a fiber optic transmitter and in the receive box there is a receiver.

Standard fiber optic chipsets have both in the same chip. If you open up a Waterfall box, it only has a transmitter in the transmit box and a receiver in the receive box. You can send from the transmit box to the receive box but you can’t send anything back. There is physically no laser in the receiver to send any signal back to the transmitter. And if you somehow managed to transmit matter to send a signal back, there is no receiver in the transmitter. It can’t even tell if the other end is powered on. It has no way to physically receive any signal.

This technology lets you move information out of your control system networks without any risk of an attack or virus or remote control attack because nothing can get back in. This works because 99% of the data transfer needs are out of control systems, which are designed to run safely indefinitely without outside input.

The data coming out of a control network comes from sensors, gauges, thermostats and the like on the industrial equipment. The data from these devices is consolidated into a historian server. It’s a database optimized for a single schema to keep track of hundreds of thousands of different data points of timestamp data so that for any measurement point, you can go back, for example, 10 seconds, 10 days, or even several years and see what the value was. This database tends to be the point of integration with SAP and other business systems.

Waterfall replicates the data gathered by the historian server on the outside of the control network. Software queries the original historian database, asks it for the data, and sends the data out over the one-way channel. On the other side it inserts the data into the replica database and keeps those two databases synchronized to within about a second of each other. Anyone who wants access to the data no longer reaches into the control system to ask the real system for data. Instead they reach into the copy and ask the copy for data. The copy has all of the data back to the beginning of time, and it has the latest data that is less than a second old. This satisfies the need for corporate to gather and use control device data without having any ability to send data back into those devices, even inadvertently.

Unidirectional gateway technology provides much stronger security than firewalls by preventing all communications from entering the control network. It’s no wonder that the technology is the recommended approach for industrial control systems by the U.S. Department of Homeland Security, France’s Agence Nationale de la secrete des systemes d’information (ANSSI), UK’s Department of Transport, among others. In APAC as well, regulatory bodies are in process of implementing cyber regulations including the use of unidirectional technology to protect industrial control systems and critical infrastructure. Don’t you think it’s time you should too?